CVE-2025-23184
MEDIUMApache CXF < 3.5.10, 3.6.5, 4.0.6 - Denial of Service via Unclosed CachedOutputStream
Title source: llmDescription
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
References (5)
Core 5
Core References
Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-23184-detect-apache-cxf-vulnerability
Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-23184-mitigate-apache-cxf-vulnerability
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250214-0003/
Mailing List vendor-advisory
https://lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122
Scores
CVSS v3
5.9
EPSS
0.0015
EPSS Percentile
34.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
apache/cxf
< 3.5.10
org.apache.cxf/cxf-core
0 - 3.5.10Maven
Published
Jan 21, 2025
Tracked Since
Feb 18, 2026